Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhance(backend): パスワードのハッシュ化に使用する鍵導出関数をbcryptからArgon2に変更する #14824

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

enhance(backend): パスワードのハッシュ化に使用する鍵導出関数をbcryptからArgon2に変更する #14824

wants to merge 1 commit into from
+106 −92

Conversation

sorairolake
Copy link
Contributor

@sorairolake sorairolake commented Oct 23, 2024
edited
Loading

What

  • パスワードのハッシュ化に使用する鍵導出関数をbcryptからArgon2(Argon2id)に変更します。
  • 互換性を維持するためにbcryptでハッシュ化されたパスワードの検証機能を残します。
  • パスワードがbcryptでハッシュ化済みかつパスワードの検証が成功した場合にはサインインするときにArgon2でパスワードを再ハッシュ化します。

Closes #11181

Why

  • データベースのセキュリティが強化できるから。
  • bcryptでは許容されていない72バイトを超えるパスワードを許容できるようになるから。

Additional info (optional)

https://github.com/kokonect-link/cherrypickからkokonect-link/cherrypick@68d5487kokonect-link/cherrypick@1da0023kokonect-link/cherrypick@42f3e56を取り込んで、argon2パッケージを更新してコメントアウトされていた行を除去。

Checklist

  • Read the contribution guide
  • Test working in a local environment
  • (If needed) Add story of storybook
  • (If needed) Update CHANGELOG.md
  • (If possible) Add tests

@github-actions github-actions bot added the packages/backend Server side specific issue/PR label Oct 23, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 23, 2024
edited
Loading

このPRによるapi.jsonの差分
差分はありません。
Get diff files from Workflow Page

@codecov Codecov
Copy link

codecov bot commented Oct 23, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 34.04255% with 31 lines in your changes missing coverage. Please review.

Project coverage is 39.98%. Comparing base (9aebf0c) to head (3cae483).
Report is 55 commits behind head on develop.

Files with missing lines Patch % Lines
...ackages/backend/src/server/api/SigninApiService.ts 5.55% 17 Missing ⚠️
...kend/src/server/api/endpoints/i/change-password.ts 33.33% 2 Missing ⚠️
packages/backend/src/core/SignupService.ts 50.00% 1 Missing ⚠️
...ackages/backend/src/server/api/SignupApiService.ts 50.00% 1 Missing ⚠️
...d/src/server/api/endpoints/admin/reset-password.ts 50.00% 1 Missing ⚠️
...backend/src/server/api/endpoints/i/2fa/key-done.ts 50.00% 1 Missing ⚠️
...end/src/server/api/endpoints/i/2fa/register-key.ts 50.00% 1 Missing ⚠️
...backend/src/server/api/endpoints/i/2fa/register.ts 50.00% 1 Missing ⚠️
...ckend/src/server/api/endpoints/i/2fa/remove-key.ts 50.00% 1 Missing ⚠️
...ckend/src/server/api/endpoints/i/2fa/unregister.ts 50.00% 1 Missing ⚠️
... and 4 more
Additional details and impacted files 
@@           Coverage Diff            @@
##           develop   #14824   +/-   ##
========================================
  Coverage    39.97%   39.98%           
========================================
  Files         1561     1561           
  Lines       197256   197267   +11     
  Branches      3607     3619   +12     
========================================
+ Hits         78849    78873   +24     
- Misses      117801   117822   +21     
+ Partials       606      572   -34

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@sorairolake sorairolake changed the title feat(backend): Replace bcrypt with Argon2 enhance(backend): Replace bcrypt with Argon2 Oct 23, 2024
@sorairolake sorairolake requested a review from tai-cha October 26, 2024 01:27
@sorairolake sorairolake changed the title enhance(backend): Replace bcrypt with Argon2 enhance(backend): パスワードのハッシュ化に使用する鍵導出関数をbcryptからArgon2に変更する Oct 28, 2024
@sorairolake
enhance(backend): Replace bcrypt with Argon2
3cae483 
Squashed commit of the following:

commit 4862fd8467d529c54d0aa3e6abff15a574459a8b
Author: Shun Sakai <[email protected]>
Date:   Wed Oct 23 20:44:30 2024 +0900

    chore(backend): Update `argon2` package

commit a52eff5deaee39c0a70c83da49ca58d0eab8d513
Author: NoriDev <[email protected]>
Date:   Mon Oct 7 18:11:34 2024 +0900

    Revert "tweak 0dc322b6 (1673beta/cherrypick#88)"

    This reverts commit ab6a5d0c3dbe7146de19d72d08658b1c011fe30a.

commit be51daec8a916a2668ea5794e067bde06499e1a4
Author: Mar0xy <[email protected]>
Date:   Wed Sep 27 21:46:56 2023 +0200

    upd: rehash misskey passwords with argon2 on login

commit 67b124b7e6e8f1b1d1738ea9a123ab0500876d58
Author: Mar0xy <[email protected]>
Date:   Fri Sep 22 00:21:57 2023 +0200

    upd: swap bcrypt to argon2
@sorairolake
Copy link
Contributor Author

CHANGELOG.mdの更新は必要ですか?

@kakkokari-gtyih kakkokari-gtyih added the ☢️Breaking This change breaks compatibility label Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tai-cha tai-cha Awaiting requested review from tai-cha

Assignees
No one assigned
Labels
☢️Breaking This change breaks compatibility packages/backend:test packages/backend Server side specific issue/PR
Projects
[実験中] 管理用
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

パスワードの最大の長さを72バイトに制限するか鍵導出関数を変更する
3 participants
@sorairolake @tai-cha @kakkokari-gtyih